malwarewikiaorg-20200223-history
Zorro
Zorro is a ransomware that runs on Microsoft Windows. It was discovered by Lawrence Abrams. It is aimed at English-speaking users. Payload Transmission Zorro is distributed through email spam and malicious attachments, fraudulent downloads, exploits, web injects, fake updates, repackaged and infected installers. Infection Zorro enters a computer automatically, scans all drives for certain file types, and then encodes these files using a strong encryption algorithm consisting of a combination of the RSA and AES encryptions. Zorro will target the files located in all local drives, including network storage and external memory devices connected to the infected machine. Zorro will avoid directories that include Windows, AppData, Program Files, Program Files (x86). Temp, ProgramData, and System Volume Information to ensure that Zorro attack does not stop Windows from working. This is because Zorro requires Windows to remain operational so that it can demand a ransom payment from the victim. Zorro marks all encrypted files with the extension '.zorro,' which is added to the end of each affected file's name. It appends the .zorro extension to the following extensions: .1, .10, .11, .12, .13, .14, .15, .16, .17, .18, .19, .1cd, .2, .20, .3, .3dm, .3Ds .3fr, .3g2, .3gp, .3pr, .4, .5, .6, .7, .7z, .7zip, .8, .9, .aac, .ab4, .abd, .abh,. acc, .accdb, .accde, .accdr, .accdt, .ach, .aco, .acr, .act, .adb, .adp, .ads, .aes, .aff, .aft, .agdl, .ai, .aiff, .ait, .al, .alv, .aoi, .apj, .apk, .arw, .ascx, .asd, .asf, .asl, .asm, .asp, .aspx, .asset, .asx .atb, .atn, .aux, .avi, .awg, .ax, .axd, .back, .backup, .backupdb, .bak, .bank, .bay, .bdb, .bgt, .big,. bik, .bin, .bkp, .blend, .bmp, .bpw, .bsa, .c, .c00, .c01, .c02, .c03, .c04, .c05, .c06, .c07, .c96, .c97, .c99, .cache, .cash, .cdb, .cdf, .cdr, .cdr3, .cdr4, .cdr5, .cdr6, .cdrw, .cdx, .ce1, .ce2, .cer, .cfg .cfm, .cfn, .cg, .cgm, .chm, .cib, .class, .cls, .cmt, .conf, .config, .contact, .cpi, .cpp, .cr2, .craw, .crt, .crw, .cry, .cs, .csh, .csh, .csl, .csproj,.css, .csv, .d3dbsp, .dac, .das, .dat, .db, .db_journal, .db3, .dbf, .dbrsb, .dbrush, .dbx, .dc2, .dcr, .dcs, .ddd, .ddoc, .ddrw, .dds, .def, .der, .des, .design, .dgc, .dgn, .dic, .dit, .djvu, .dng, .doc, .docm, .docx, .dot .dotm, .dotx, .drf, .drw, .dtd, .DTD, .dwg, .dxb, .dxf, .dxg, .eap, .edb, .eml, .eps, .erbsql, .erf, .ESD, .eve, .exf, .fdb, .feed-ms, .feedsdb-ms, .ffd, .fff, .fh, .fhd, .fla, .flac, .flb, .flf, .flv, .flvv .fon, .forge, .fp3, .fp5, .fp5, .fp7, .fp8, .fp9, .fpx, .full, .fxg, .gbk, .gbr, .gho, .gif, .gitattributes,. gitignore, .gray, .grd, .grey, .groups, .gry, .h, .h, .hbk, .hdd, .hdt, .hlp, .hpp, .htm, .html, .ibank, .ibd, .ibz, .ico, .idx, .iif, .iiq, .incpas, .indd, .inf, .inf_loc, .info, .info_, .iros, .irs, .iwi, .ja, .jar, .java .jnt, .jpe, .jpeg, .jpg, .jpg, .js, .json, .jsonlz4, .jsx, .k2p, .kc2, .kdbx, .kdc, .key,.kpdx, .kwm, .laccdb, .lbf, .lck, .ldf, .list, .lit, .litemod, .litesql, .little, .lock, .log, .ltx, .lua, .m, .m2ts, .m3u, .m4a, .m4b, .m4p, .m4p, .m4v, .ma, .mab, .manifest, .mapimail, .max, .mbx, .md, .mdb, .mdc, .mdf, .meek -http-helper, .mef, .mfw, .mht, .mid, .middle, .mkv, .mlb, .mmw, .mnu, .mny, .money, .moneywell, .mos, .mov, .mp3, .mp4, .mpeg, .mpg, .mrw, .msf, .msg, .mshi, .mts, .mui, .myapp, .myd, .nd, .ndd, .ndf, .nef, .New, .nk2 .nop, .nrw, .ns2, .ns3, .ns4, .nsd, .nsf, .nsg, .nsh, .nvram, .nwb, .nx2, .nxl, .nyf, .oab, .obj,. odb, .odc, .odf, .odg, .odm, .odp, .ods, .odt, .odt, .ogg, .oil, .old, .omg, .one, .orf, .ost, .otg, .oth, .otp, .ots, .ott, .p00, .p01, .p02, .p03, .p04, .p05, .p06, .p07, .p12, .p3e, .p3m, .p7b, .p7c .p7x, .p96, .p97, .p98, .pab, .pages, .pas, .pat, .pat, .pbf, .pbk, .pcd, .pct, .pdb, .pdd, .pdf, pef, .pfx,.php, .php, .pif, .pl, .plc, .plus_muhd, .pm !, .pm, .pmi, .pmj, .pml, .pmm, .pmo, .pmr, .pnc, .pnd, .PNF .PNG, .png, .pnx, .pot, .potm, .potx, .ppam, .ppkg, .pps, .ppsm, .ppsx, .ppt, .pptm, .pptx, .prf, .pri,. Private, .properties, .ps, .psafe3, .psd, .psd, .pset, .pspimage, .pst, .ptx, .pub, .pwm, .py, .pyc, .pyd, .qba, .qbb, .qbm, .qbr, .qbw, .qbx, .qby, .qcow, .qcow2, .qdf, .qed, .qtb, .r3d, .raf, .rar, .rat, .raw, .rdb, .re2 .re4, .resources, .resp, .resx, .rm, .rtf, .rvt, .rw2, .rwl, .rwz, .s3db, .safe, .sas7bdat, .sav, .save, .say,. sbstore, .sd0, .sda, .sdb, .sdf, .setting, .settings, .sh, .shc, .sldm, .sldx, .slm, .sln, .small, .sql, .sqlite - shm,. sqlite - wal, .sqlite, .sqlite3, .sqlitedb, .sr2, .srb, .srf, .srs, .srt, .srw, .st4, .st5, .st6, .st7, .st8, .stc,. std, .sti, .stl, .stm, .stw, .stx, .suo, .svg, .swf, .sxc, .sxd, .sxg, .sxi, .sxm, .sxw, .sys, .tax, .tbb, .tbk, .tbn, .tex, .tff, .tga, .thm, .tif, .tiff, .tlg, .tlx, .tme, .tmp .tpl, .ttf, .TTF, .txt, .upk, .usr, .vb, .vbox, .vbproj, .vbs, .vdi, .vhd, .vhdx, .vmdk, .vmsd, .vmx,.vmxf, .vob, .vpd, .vsd, .wab, .wad, .wallet, .war, .wav, .wb2, .webm, .wma, .wmdb, .wmf, .wmv, .wpd, .wpl, .wps, .x11, .x3f, .xaml, .xeml, .xis, .xla, .xlam, .xlk, .xlm, .xlmx, .xlr, .xls, .xlsb, .xlsm, .xlsx, .xlt , .xltm, .xltx, .xlw, .xml, .xml, .xpi, .xpi, .xps, .xxx, .ycbcra, .yuv, .zap, .zip After encrypting the victim's files, Zorro delivers its ransom note. To do this, Zorro will drop a text file on the infected computer's desktop. This file, named 'Take_Seriously (Your saving grace).txt,' will demand the payment of 1 BitCoin (approx. $1000 USD at the current exchange rate) and include information on how to carry out the payment and contact the con artists. Below is the text of Zorro's ransom note: IMPORTANT NOTICE THAT IS URGENT AND TRUE DEAR Sir/Ma, Sorry to inform you but your files has just been encrypted with a strong key. This simply mean that you will not be able to use your files until it is decrypted by the same key used in encrypting it. To get the Key, you have to make a payment to us so as to recover your files. You have the grace of 3 days from now to pay the sum of 1 BTC to the bitcoin address below: BITCOIN ADDRESS:=>> 19DbpPPahyjVupryKZerpWZ2LG57JqYcgC Today has just begun the count-down of the payment before your files become unstable and entirely useless. So, my advice to you is to pay up the amount to the bitcoin address above. Pay 1 BTC. NOTE: Bitcoin doesn't need a bank account - your bitcoin wallet is your bank account, and you don't need any permissions or paperwork to start using bitcoin. GOTO http://localbitcoins.com/ to change cash to bitcoins and vice versa, you don't need any kind of bank account at all. When payment is made, a decrypting software with the embedded strong key used in encrypting your files will be emailed to you to decrypt your files and start using it again. ONCE PAYMENT IS MADE THE DECRYPTION PROGRAM WILL BE EMAILED TO YOU SO YOU CAN USE YOUR FILES ONCE AGAIN.' Category:Assembly Category:Ransomware Category:Win32 ransomware Category:Win32 Category:Microsoft Windows Category:Win32 trojan Category:Trojan